Program Correctness
-
Upload
garrett-slater -
Category
Documents
-
view
13 -
download
2
description
Transcript of Program Correctness
Program Correctness
2
Program Verification
• An object is a finite state machine: – Its attribute values are its state.
– Its methods optionally:• Transition it from 1 state to another;
• Produce a return value.
• We deal with static methods: Functions.
• The discussion can be extended to objects.
3
• Let function f: I O, where
– I is the set of valid input
– O is the set of valid output
• Let program P compute f.
• If i I, P(i) = f(i), then P correctly computes f.
• If I is an int, then |I| > 1 billion.
• Idea: Prove that P computes f without testing.
4
Partial Correctness
An initial assertion states the properties of valid input.
A final assertion states the properties of valid output.
Let program [segment] S have:
initial assertion p
final assertion q.
If
(p is true for S’s input S terminates) q is true for S’s output
then
S is partially correct with respect to p & q, denoted pSq.
5
Correctness
• A program [segment] is correct when:
– It is partially correct.
– It terminates on all valid input.
• Initial & final assertions specify the function.
• N.B.
– Humans create the specification.
– A specification thus is a source of error.
– If specifying a function is more error-prone then programming it,
then “Houston, we have a problem.”
6
Is this Java segment correct?
assert ( y >= 0 );
int x = y*y;
x *= x*x;
assert x == y*y*y*y*y*y;
1. Let p be the initial assertion: y >= 0.
2. Let q be the final assertion: x == y6.
3. If p, then 1. x == y2 after the 1st statement,
2. x == y2 *y2 *y2 after the 2nd statement.
Is the above proof correct?
7
Is this Java segment correct?
assert ( y >= 0 ) && ( Math.pow(y, 6) <= Integer.MAX_VALUE );
int x = y*y;
x *= x*x;
assert x == y*y*y*y*y*y;
1. Let p & q be the initial & final assertion, respectively.
2. If p, then
1. x == y2 after the 1st statement,
2. x == y2 *y2 *y2 after the 2nd statement
3. no overflow occurs.
8
Rules of Inference
• Let segment S be segment S1 followed by
segment S2, written S = S1;S2.
• Composition inference rule:
( pS1q qS2r ) pS1;S2r
“If p is true and S1 & S2 terminate, then r is true.”
9
Conditional Statements
Suppose we have a segment of the form:if ( condition )
S
where condition is booelan & S is a segment.
Let p & q be initial & final assertions.
( p condition )Sq
( p condition ) q__________________
p if ( condition ) S q.
10
Suppose we have a segment of the form:if ( condition )
S1
else
S2
( p condition )S1q
( p condition )S2q_______________________
p if ( condition ) S1 else S2 q.
11
Loop Invariants
Suppose we have a segment of the form:while ( condition )
S
If assertion p is true whenever S is executed, it is a loop invariant.
Let p be a loop invariant.
(p condition )Sp
______________________________
p while condition S( condition p).
12
procedure int multiply( int m, int n ) // assume int is unbounded
boolean p = true, q = false, r = false, s = false, t = false;
assert p; // p represents: int m, n;
int a = ( n < 0 ) ? –n : n;
assert q = ( p && a == Math.abs( n ) );
int k = 0, x = 0;
assert r = ( q && k == 0 && x == 0 );
while ( k < a )
x += m;
k++;
assert k <= a && x == m*k;
assert s = ( x == m*a && a == Math.abs( n ) );
int product = ( n < 0 ) ? –x : x;
assert t = ( product == n*m );
return product;
13
Correctness Proof Framework
1. Show that p q r s t.
2. Conclude that p t.
3. Show that all program segments terminate.
4. Conclude that the program is correct.
Again, we omitted overflow considerations.
14
Characters
• ≥ ≡ ~
• ≈• • Ω Θ
• Σ•